Open paultag opened 6 years ago
1) I thought in your test code, you already have a reset key function
2) the same goes with set PIN, PUK, mgmt key, it just not pretty
3) this one is definitely missing. So what is needed to generate CSR for a given slot? I
looked at the entry point for ykpiv or piv-tool, it does not have those functionality built-in, so one has to write them from scratch.
The issue with PIN is that we can read the management blob but there's no code to write it.
I have written a thing to make a CSR but it's usually domain specific and hackey.
Are you interested in sending a PR for any of this?
sure, when I look the code, you have most stuff there. The CSR for yubikey is a little corky (they should have an entry in their library). When I look at the crypto/x509 CreateCertificateRequest, it asked for a interface to the private key (which I think can be equate to the slot) and it wants the Crypto.Signer function which match your sign function, however, I am not that deep on go interface, so I will need to dig in a little further. Let me pull it and see what I can find out.
@paultag I have code that creates a self signed certificate for a slot (because there are third party tools that can't tell if a slot has a private key attached or not and can only view the certificate). Would you be interested in me cleaning that up and submitting a PR? It works fine with both GenerateRSA and GenerateEC keys.
EDIT: I can also make it more generic so it works with any CSR not just self-signing
@immesys Let me think a bit more about that and get back to you - the big part of this issue is mostly about stuff like setting the PIN/PUK from the Yubikey defaults -- and in particular writing data to the token in the same format pivman
does/did, for use with the ManagementKeyIsPIN
flag. The self-signed certificate stuff would be helpful.
I don't quite know how to fit the self-signed Certificate generation in as part of the Generation step as the API exists today, and I don't want to keep proliferating Generate calls. Maybe we need a Generate{RSA,EC}WithOptions
and have the existing calls call Generate{RSA,EC}WithOptions
and add a Deprecation notice to the old ones?
As for the other half of this issue, it's basically straightforward to write it in away we can consume (it's DER encoded byte arrays IIRC), I didn't do it when I first wrote the reading code because I wasn't sure it wouldn't break other things (like pivman
). The pivman.go file has the bits where it is able to pull the salt (to derive the Management key), and I think it has enough to reverse how to generate the structure too.
What do you think @immesys?
Simple tool to set up a token: